CONFIG_BPFILTER is aimed to provide a replacement for netfilter.
When CONFIG_BPFILTER is enabled, the kernel tries to contact a user mode helper
for each iptable rule update. However the implementation of this helper has not
been upstreamed yet. The communication thus fails and the kernel then falls back
to netfilter.
As a result, the rule update takes more than ten times the duration of the
netfilter implementation alone.
This has been reported by Docker Desktop users for whom it can take minutes to
start a container sharing a few hundred ports. https://github.com/for-mac/issues/5668
More details on the situation is described in https://lwn.net/Articles/822744/.
Signed-off-by: Frederic Dalleau <frederic.dalleau@docker.com>
The bcc portion of the build had been disabled because it wasn't
building. Now that bcc is building again, add it back to the list of
default targets in the kernel build.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
This moves up to bcc 0.20.0 and builds on the latest 3.13 Alpine base
image. It uses libelf from Alpine, which allows us to drop a number of
the patches we were carrying and reduce the number of steps taken in the
bcc build.
This builds for me on a branch of tip against 5.11.x, 5.10.x,
5.10.x-dbg, and 5.4.x on x86_65. I have not had a chance to attempt
this on other platforms due to lack of hardware.
Signed-off-by: Krister Johansen <krister.johansen@oracle.com>
Declare KERNEL_SOURCE as an environment variable so it
get's picked up in kernel-source-info
fixes#3653
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
5.4.x is the only kernel left which does not have
WireGuard in tree and it people should be using more
recent kernels. Remove the now special case for
compiling out of tree WireGuard.
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
The kernel config is derived from 5.6.x by running it through
make oldconfig.
For x86_64 changed manually:
- CONFIG_VIRTIO_MEM=m -> y
- CONFIG_PLDMFW=y -> not set
For aarch64 changed manually:
- CONFIG_SMSC_PHY=m -> not set
- CONFIG_PLDMFW=y -> not set
No adjustment to s390x config
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
This commit removes Notary and Content Trust.
Notary v1 is due to be replaced with Notary v2 soon.
There is no clean migration path from one to the other.
For now, this removes all signing from LinuxKit.
We will look to add this back once a new Notary alternative
becomes available.
Signed-off-by: Dave Tucker <dave@dtucker.co.uk>
The patch we carry for 5.4 and 5.6 does not apply to
5.4.28. Disable the -rt kernel until the version has
been bumped.
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
This was previously build for 5.4 and 4.19. Latest LTS is 5.4 and
latest stable is 5.6. Also skip s390x build for perf
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
For some reason, the 'make ARCH=s390 oldconfig' yields
a different config when executing on a real s390c system...
Signed-off-by: Rolf Neugebauer <rn@rneugeba.io>
